Jump to content

[SOLVED] security question

pendragonf

By pendragonf
in PHP Coding Help

 Share

Recommended Posts

pendragonf Newbie

pendragonf

Posted
Posted

If I have a site which I log into sort of like this forum. Something like http://www.example.com/index.php?c=dashboard&a=index. I am logged in and I go to www.example.com in another window it will go logged in again and again. How do I make it to where each time I go to www.example.com I have to relogon and if I walk away from my computer for more than a few min it will log me out

 

 


<div>
<img src="http://www.example.com/public/login.png" width="100" height="100" " />
<div)



<?php set_page_title(lang('login')) ?>
<form action="<?php echo get_url('access', 'login') ?>" method="post">
<?php tpl_display(get_template_path('form_errors')) ?>
  <div id="loginUsernameDiv">
    <label for="loginUsername"><?php echo lang('username') ?>:</label>
    <?php echo text_field('login[username]', array_var($login_data, 'username'), array('id' => 'loginUsername', 'class' => 'medium')) ?>
  </div>
  <div id="loginPasswordDiv">
    <label for="loginPassword"><?php echo lang('password') ?>:</label>
    <?php echo password_field('login[password]', null, array('id' => 'loginPassword', 'class' => 'medium')) ?>
  </div>
  <div class="clean"></div>
  <div style="margin-top: 6px">
    <?php echo checkbox_field('login[remember]', array_var($login_data, 'remember') == 'checked', array('id' => 'loginRememberMe')) ?>
    <label class="checkbox" for="loginRememberMe"><?php echo lang('remember me') ?></label>
  </div>
  
<?php if(isset($login_data) && is_array($login_data) && count($login_data)) { ?>
<?php foreach($login_data as $k => $v) { ?>
<?php if(str_starts_with($k, 'ref_')) { ?>
  <input type="hidden" name="login[<?php echo $k ?>]" value="<?php echo $login_data[$k] ?>" />
<?php } // if ?>
<?php } // foreach ?>
<?php } // if ?>
  
  <div id="loginSubmit"><?php echo submit_button(lang('login')) ?><span>(<a href="<?php echo get_url('access', 'forgot_password') ?>"><?php echo lang('forgot password') ?>?</a>)</span></div>
  <!-- <p><a href="<?php echo get_url('access', 'forgot_password') ?>"><?php echo lang('forgot password') ?></a></p> -->
</form>

<fieldset>
<a href="http://www.example.com:7000">For File Access Click Here(Web Hard)

--------------------------------------------------------------
Login Controller
-------------------------------------------------------------
<?php

  /**
  * Access login, used for handling login / logout requests
  *
  * @version 1.0
  * @author Ilija Studen <ilija.studen@gmail.com>
  */
  class AccessController extends ApplicationController {
  
    /**
    * Construct controller
    *
    * @param void
    * @return null
    */
    function __construct() {
      parent::__construct();
      
      $this->setLayout('dialog');
      $this->addHelper('form', 'breadcrumbs', 'pageactions', 'tabbednavigation', 'company_website', 'project_website');
    } // __construct
    
    /**
    * Show and process login form
    *
    * @param void
    * @return null
    */
    function login() {
      $this->addHelper('form');
      
      if(function_exists('logged_user') && (logged_user() instanceof User)) {
        $this->redirectTo('dashboard');
      } // if
      
      $login_data = array_var($_POST, 'login');
      if(!is_array($login_data)) {
        $login_data = array();
        foreach($_GET as $k => $v) {
          if(str_starts_with($k, 'ref_')) $login_data[$k] = $v;
        } // foreach
      } // if
      
      tpl_assign('login_data', $login_data);
      
      if(is_array(array_var($_POST, 'login'))) {
        $username = array_var($login_data, 'username');
        $password = array_var($login_data, 'password');
        $remember = array_var($login_data, 'remember') == 'checked';
        
        if(trim($username == '')) {
          tpl_assign('error', new Error(lang('username value missing')));
          $this->render();
        } // if
        
        if(trim($password) == '') {
          tpl_assign('error', new Error(lang('password value missing')));
          $this->render();
        } // if
        
        $user = Users::getByUsername($username, owner_company());
        if(!($user instanceof User)) {
          tpl_assign('error', new Error(lang('invalid login data')));
          $this->render();
        } // if
        
        if(!$user->isValidPassword($password)) {
          tpl_assign('error', new Error(lang('invalid login data')));
          $this->render();
        } // if
        
        try {
          CompanyWebsite::instance()->logUserIn($user, $remember);
        } catch(Exception $e) {
          tpl_assign('error', new Error(lang('invalid login data')));
          $this->render();
        } // try
        
        $ref_controller = null;
        $ref_action = null;
        $ref_params = array();
        
        foreach($login_data as $k => $v) {
          if(str_starts_with($k, 'ref_')) {
            $ref_var_name = trim(substr($k, 4, strlen($k)));
            switch ($ref_var_name) {
              case 'c':
                $ref_controller = $v;
                break;
              case 'a':
                $ref_action = $v;
                break;
              default:
                $ref_params[$ref_var_name] = $v;
            } // switch
          } // if
        } // if
        if(!count($ref_params)) $ref_params = null;
        
        if($ref_controller && $ref_action) {
          $this->redirectTo($ref_controller, $ref_action, $ref_params);
        } else {
          $this->redirectTo('dashboard');
        } // if
      } // if
    } // login
    
    /**
    * Log user out
    *
    * @access public
    * @param void
    * @return null
    */
    function logout() {
      CompanyWebsite::instance()->logUserOut();
      $this->redirectTo('access', 'login');
    } // logout
    
    /**
    * Render and process forgot password form
    *
    * @param void
    * @return null
    */
    function forgot_password() {
      $your_email = trim(array_var($_POST, 'your_email'));
      tpl_assign('your_email', $your_email);
      
      if(array_var($_POST, 'submited') == 'submited') {
        if(!is_valid_email($your_email)) {
          tpl_assign('error', new InvalidEmailAddressError($your_email, lang('invalid email address')));
          $this->render();
        } // if
        
        $user = Users::getByEmail($your_email);
        if(!($user instanceof User)) {
          flash_error(lang('email address not in use', $your_email));
          $this->redirectTo('access', 'forgot_password');
        } // if
        
        try {
          Notifier::forgotPassword($user);
          flash_success(lang('success forgot password'));
        } catch(Exception $e) {
          flash_error(lang('error forgot password'));
        } // try
        
        $this->redirectTo('access', 'forgot_password');
      } // if
    } // forgot_password
    
    /**
    * Finish the installation - create owner company and administrator
    *
    * @param void
    * @return null
    */
    function complete_installation() {
      if(Companies::getOwnerCompany() instanceof Company) {
        die('Owner company already exists'); // Somebody is trying to access this method even if the user already exists
      } // if
      
      $form_data = array_var($_POST, 'form');
      tpl_assign('form_data', $form_data);
      
      if(array_var($form_data, 'submited') == 'submited') {
        try {
          $admin_password = trim(array_var($form_data, 'admin_password'));
          $admin_password_a = trim(array_var($form_data, 'admin_password_a'));
          
          if(trim($admin_password) == '') {
            throw new Error(lang('password value required'));
          } // if
          
          if($admin_password <> $admin_password_a) {
            throw new Error(lang('passwords dont match'));
          } // if
          
          DB::beginWork();
          
          Users::delete(); // clear users table
          Companies::delete(); // clear companies table
          
          // Create the administrator user
          $administrator = new User();
          $administrator->setId(1);
          $administrator->setCompanyId(1);
          $administrator->setUsername(array_var($form_data, 'admin_username'));
          $administrator->setEmail(array_var($form_data, 'admin_email'));
          $administrator->setPassword($admin_password);
          $administrator->setIsAdmin(true);
          $administrator->setAutoAssign(true);
          
          $administrator->save();
          
          // Create a company
          $company = new Company();
          $company->setId(1);
          $company->setClientOfId(0);
          $company->setName(array_var($form_data, 'company_name'));
          $company->setCreatedById(1);
          
          $company->save();
          
          DB::commit();
          
          $this->redirectTo('access', 'login');
        } catch(Exception $e) {
          tpl_assign('error', $e);
          DB::rollback();
        } // try
      } // if
    } // complete_installation
  
  } // AccessController

?>

Link to comment
https://forums.phpfreaks.com/topic/133343-solved-security-question/
Share on other sites
mtoynbee Newbie

mtoynbee

Posted
Posted

I would guess that you could control the name of the document window using javascript and assign an auto-generated ID reference to that user (as a Cookie or in the database) once they logon. On every page load you could then run a javascript function to detect the ID reference of that user matches the ID of the window and if it doesn't match redirect the page to the login screen.

 

The only downside is that you may not be able to modify the ID of the existing window therefore you would need to open the login screen in a new window.

 

 

 

Secondly, for auto-logout you can use sessions and configure the timeout in the php.ini file or via an ini_set function. I do this for one application using the below script.

 

This creates a separate session folder and assigns a specific logout time for the application after set amount of inactivity:

 

## Set GC Session Limit to 3 hours
ini_set('session.gc_maxlifetime',32400);

# Store  Sessions in separate directory to other server sessions
strstr(strtoupper(substr($_SERVER["OS"], 0, 3)), "WIN") ? $sep = "\\" : $sep = "/";
$sessdir = ini_get('session.save_path').$sep."SiteSessions";
if (!is_dir($sessdir)) { mkdir($sessdir, 0777); }
ini_set('session.save_path', $sessdir);

$cookie_path = "/";
session_set_cookie_params(0, $cookie_path);

session_start();
ob_start();

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.